# pulp-2to3-migration SELinux meeting ## Background info ### Satellite 6.9 features pulp3 is just there for preparation will not go production hard links happen because migration plugin run on same machine migration plugin gets run here, and here only. immediately upgrade to 6.10. But never intended to serve content Pulp 3 turned off and on when needed. Any SELinux failures were not breaking actual production functionality, but SELinux errors were still logged, which concerns consumers. ### Satellite 6.10 features Pulp 3 run here No migration plugin run here n 2 hard links (pulp 2 and pulp 3 path) to the same inode file will have the same selinux label. So pulp 3 will need access to SELinux context. definitely no later than sept 29th, possibly earlier but will let you know. Tanya can help Mike access the "dogfood" server, for the migration testing. dogfood == internal satellite with actual content. There's a link somewhere under http://ohsnap.sat.engineering.redhat.com/ Using dev as an internal testing server. Ask Tanya for permissions. ## Questions 1. For Satellite 6.9, should we update the pulp 3 selinux policy to enable pulp-2to3-migration to run on the same machine? a. Yes 2. For Satellite 6.9, should we update the pulp 3 selinux policy to enable pulp-2to3-migration to access Pulp 2 files over NFS/gluster/etc. a. I could look at the Pulp 2 policy to understand this. b. NFS for production? - probably only support exceptions for pulp 2. Not even sure if pulp 3 can run it. c. NFS for migration from pulp 2 only? - No longer the case. No longer a sat6 (EL7) to sat7 (EL8) migration. d. Satellite 7.0 will support both EL7 and EL8 e. Need to run restorecon every time. f. Possible to force an entire label for an nfs mount (from client's perspective.) 3. Should we do booleans like libvirt has? (See `sudo semanage boolean -l` and look for "virt"). a. Possibly, but see above about label. ###### tags: `2to3`, `Minutes`